A new type hack method?

Tue 27th Aug '13, 12:47pm

Hello,

When I entered my forum homepage a little while ago, I met with this page:

First I've checked my server/ftp accounts and all were looking OK. Also my admin panel was working too, so I've searched in templates and I saw that he changed "FORUMHOME" script, I reverted it and everything turned back normal.

Then I made a deeper research and saw that he created a plugin in Vbulletin system like this:

At the same time I've seen this in my mail:

When I searched for some keywords in the hacking message I've seen that he hacked many sites today with the same method:

Even he hacked homepage of antifraudintl.org forum page, and this is the thread in their forum about this matter (their homepage is still hacked, if you read this message, you have to revert FORUMHOME template)

Comment

how? where do i need to go in the root folders to remove it. After reading this thread, our site "so far" has not been a victim. However my human verification security questioning requirements are more stringent and many bogus folks have been blocked from registering.

Comment

You should remove it completely (You may want to copy the code to a text file just s you have it for future reference)

You should also go to the Admin CP -> Maintenance - > Diagnostics -> Suspect File Check. If any files say "Does not contain expected contents" you should re-upload a fresh set of files for your version of vBulletin.

Make sure you are running the latest version of vBulletin as well.

Also if there are any files not recognized as part of vBulletin you will need to manually check them to be sure they are clear of exploits. If you have a lot of 3rd party add-ons this can be time consuming. Consider removing add-ons and reinstalling fresh copies of the latest versions.

Double check your list of Administrators in Admin CP -> Usergroups -> Usergroup Manager, if you have an Admin account you didn't create then this was likely the result of the exploit announced yesterday.

There is sttiil the possibility that your case was caused by a 3rd party add-on or server vulnerability, if no new Admin account was created it may not be the same hack.

Comment

As above. This problem was found on Tuesday morning about 11 am Japan time. Like reignman, we had 2 people registered as federal. One is now deleted and the other had all permissions removed an PW changed. I have no idea how he got in. All new members receive an email with an activation link in it. They have to click to become active but even then they only go into a admin queue for final approval. Supposedly, no one can do anything until admin approval and only admins can do it, not mods. Maybe Abdou found some way to make himself an admin but I don't know how.

I have also found a file "federal" in the plugin and that is removed. We only have vb software and vb advanced for the front page (with all our language forums). vba is the only plugin that is set up. All "abdou" did is deface our frontpage. The forum works fine from forum/php page. I have removed the install file as Zachary has indicated. But the problem has not been resolved.

NB; vis a vis Abdou, we may have identified him and some of his hacker friends. Since our website runs on a US server Abdou has violated federal law (maybe USC Title 18 but I don't have the citation in front of me). Abdou has been reported to law enforcement agencies in the USA and UK among others. If anyone else has been hacked and you have any LE friends, let them know.

Comment

I got the same "federal" member who got admin access on one of my site.
Apparently he tried to add an announcement with no success and looked at user.php --> viewjoinrequests
No plugin added on my site and no file edit.
IP used: 41.248.180.132 (morocco)
I deleted the install folder and banned the IP from my server.

Comment

Problem resolved, for now. Somehow, whatever Abdou did he installed a new index.php over our old one. All I had to do was fo into ftp and copy our original index.php over the "new" one. Sorry I'm not clever. If I was I might have thought of this sooner.

Comment

The way Vbulletin have handled this serious exploit has really got me annoyed. If ever Vbulletin want use to buy something such as VB5 we get an email, but with such a serious exploit such as this, the best Vbulletin staff can manage is an announcement post! No good enough Vbulletin, I'm now seriously looking to move to another Forum system.

We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, personalize advertising, and to analyze site activity. We may share certain information about our users with our advertising and analytics partners. For additional details, refer to our Privacy Policy.

By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also consent to the transfer of your data to our servers in the United States, where data protection laws may be different from those in your country.